Remote-Access VPN - Unable to access devices at Remote (Client) end



  • I have used the Wizard to set up a Remote Access OpenVPN Server which employs Certificates and SSL/TLS. From the remote end, as an OpenVPN Client on a 4-G LTE Router, I can successfully log in to the pfSense OpvenVPN Server and access devices on the configured "local networks" as planned.

    From a PC on one of the configured "local networks" I am unable to access any devices connected to the remote Client 4-G router's LAN.

    The OpenVPN Client are hosted in small Linux computers on remote data acquisition sites. I need the ability to both receive data from these remote Clients at a device on the pfSense LAN and also interrogate devices at those remote sites across the VPN tunnel.

    There is no option in either the Remote-Access OpenVPN Wizard or the OpenVPN Server (Remote Access mode) configuration page to nominate remote networks. For example, I need to access devices on the LAN 10.8.2.0/24 situated on the other side of the Client 4-G router at a remote site.

    Please, what am I missing or what do I need to change to achieve this?



  • Take a look on the OpenVPN/Server page. Under Tunnel Settings there are setting for IPv4 & IPv6 networks. That's how you tell pfSense where to find the remote network. Also, it's a good idea to use traceroute from both ends, to see how far routing works.


  • LAYER 8 Netgate

    That is tricky because what you are really doing is creating a site-to-site. One of the biggest problems is you are trying to use OpenVPN client, which is designed to provide access to remote networks from that host, and trying to make it behave like a router, routing to subnets behind it as well.

    In your case I would not use a Remote Access configuration but a server-style SSL/TLS site-to-site server. the only real difference between the two configurations as far as pfSense is concerned is the fields presented in the gui pages.

    You will have to place the remote subnets into Client-Specific overrides to properly route them to the appropriate connected client.

    There are also some hoops you will have to jump through on the client side. I don't remember exact details, but I'm pretty sure the last time I saw anyone achieve any kind of success with this it required some powershell.



  • Thanks for the responses.

    @Derelict This seems logical, and in fact will shortly also be implementing a site-to-site configuration on the same router for two offices to the central site.

    If anyone can elaborate on "hoops you will have to jump through on the client side" that would be appreciated.

    We are using the latest version of pfSense.


  • LAYER 8 Netgate

    You'll probably just have to try it and, if traffic doesn't flow properly, figure out where it's breaking down. pcaps will be your friend.

    It's not a very common scenario.



  • @derelict I will try to post the network diagram.

    We are using two Devices at the Remote sites:

    1. An Intel NUC running custom data acquisition software which periodically publishes messages to the MQTT Broker at the central site . It initiates the OpenVPN channel to the central site via the 4G cellular wireless router.

    2. There is a power controlling/monitoring device at the site which has a web and SNMP interface. We need to occasionally check or reconfigure that from the central site.

    We would like to SSH into that device from the central site across the OpenVPN tunnel.

    All of this palava comes about because of the "carrier grade NAT" at these Remote sites, which means we don't have static IP addresses and DynDNS doesn't work so we need to open the comms channel from that end.


  • LAYER 8 Netgate

    This post is deleted!

Log in to reply